CVE-2017-14992 – github.com/vbatts/tar-split

Package

Manager: go
Name: github.com/vbatts/tar-split
Vulnerable Version: >=0 <0.10.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00312 pctl0.53793

Details

tar-split memory exhaustion Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing.

Metadata

Created: 2022-05-17T00:22:00Z
Modified: 2025-04-23T02:23:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hqwh-8xv9-42hw/GHSA-hqwh-8xv9-42hw.json
CWE IDs: ["CWE-20", "CWE-770"]
Alternative ID: GHSA-hqwh-8xv9-42hw
Finding: F029
Auto approve: 1